» Home » troubleshooting » WordPress – Hacked by badi

WordPress – Hacked by badi

This was not specifically a WordPress hack but rather a server hack that needs to ultimately to be dealt with by your website host.

To fix start by changing your character encoding back to UTF-8 from UTF-7 by clicking Settings > Reading and typing in UTF-8 under the ‘Encoding for pages and feeds’ section and clicking ‘Save Changes’.

Next, goto Appearance > Widgets and finding a Text widget installed with the following or similar script in the text box. It might appear under ‘Inactive Sidebar’.

“<script>document.documentElement.innerHTML = unescape(‘%48%61%63%6b%65%64%20%42%79%20%42%61%64%69’);</script>”

You’ll need to reconfigure your widgets.

Then change your site title back under Settings > General.

UTF-7, which the hack sets your character set to is to allow code to be passed through the DB and is detrimental from a security point of view.

If you go into the Settings > Reading screen in the BEFORE you delete Badi’s text widget with his/her script in, then you see an option called  ‘Encoding for pages and feeds’ to set the character encoding back to UTF-8. If you delete the script then that option disappears.

The option was taken out of the dashboard in WP 3.5.

11 thoughts on “WordPress – Hacked by badi”

  1. Thanks a lot for your help! First time here with a wordpress site hacked!! 🙁
    Now everything’s ok! Thanks again!! 😀


  2. I deleted the widget text first not reading this till now – and well now i cant log into my admin area or see my site, any suggestions?

  3. Thanks Grant. Best if you take the actual script code out of the example above. If it is real someone else might try it.

    This hack is a defacement and affects other sites including Joomla. It is not a WordPress issue only. The common factor is cpanel.

    Changing the charset back, deleting the widget and resetting the title is all well and good but won’t stop the same exploit from being repeated.

    Everyone who has the issue needs to check that their web host has fixed the cause of the breach. That cause is a symlink exploit to Apache / cpanel. Get your hosting company engineers to check this link http://whmscripts.net/misc/2013/apache-symlink-security-issue-fixpatch/

  4. Thanks Jason, you’re 100% correct about this being a hosting issue and the need for this hack to be fixed server wide. For now I feel that leaving the code is more useful for correcting this issue than anyone finding it and using it maliciously.

  5. Oh!!! Thank you so much for the help. You really saved me!!! Really appreciate it bro…

    Could you please let us know how to prevent these type of hackers . That would be much appreciated…

    Thanks again!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.